ANSI INCITS ISO IEC 9797-2-2002 Information technology Security techniques Message Authentication Codes (MACs) Part 2 Mechanisms using a dedicated hash-function (Adopted by INCITS).pdf

1、 Reference numberISO/IEC 9797-2:2002(E)ISO/IEC 2002INTERNATIONAL STANDARD ISO/IEC9797-2First edition2002-06-01Information technology Security techniques Message Authentication Codes (MACs) Part 2: Mechanisms using a dedicated hash-function Technologies de linformation Techniques de scurit Codes daut

2、hentification de message (MAC) Partie 2: Mcanismes utilisant une fonction de hachage Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 12/3/2002Published by American National Standards Institute,25 West 43rd Stree

3、t, New York, New York 10036Copyright 2002 by Information Technology Industry Council (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (A

4、NSI), and Information Technology Industry Council(ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Stree

5、t NW,Washington, DC 20005.Printed in the United States of AmericaISO/IEC 9797-2:2002(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are lice

6、nsed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of t

7、he software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating

8、to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2002 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, witho

9、ut permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.ch Web www.iso.ch Printed in Switzerland ii ISO/IEC 2002 All righ

10、ts reservedISO/IEC 9797-2:2002(E) ISO/IEC 2002 All rights reserved iiiContents1 Scope 12 Normative references 13 Terms and definitions 14 Symbols and notation 25 Requirements 36 MAC Algorithm 1 36.1 Description of MAC Algorithm 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11、. . . . 46.1.1 Step 1 (key expansion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46.1.2 Step 2 (modification of the constants and the IV) . . . . . . . . . . . . . . . . . . . . . . . . . 46.1.3 Step 3 (hashing operation) . . . . . . . . . . . . . . . . . . . .

12、 . . . . . . . . . . . . . . . . . . 46.1.4 Step 4 (output transformation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46.1.5 Step 5 (truncation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46.2 Efficiency . . . . . . . . . . . .

13、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46.3 Computation of the constants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46.3.1 Dedicated Hash-Function 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

14、 . . 56.3.2 Dedicated Hash-Function 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56.3.3 Dedicated Hash-Function 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 MAC Algorithm 2 57.1 Description of MAC Algorithm 2 . . . . . . . . . . .

15、. . . . . . . . . . . . . . . . . . . . . . . . . . . . 67.1.1 Step 1 (key expansion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67.1.2 Step 2 (hashing operation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67.1.3 Step 3 (output

16、transformation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67.1.4 Step 4 (truncation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67.2 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17、 . . . . . . . . . . 68 MAC Algorithm 3 68.1 Description of MAC Algorithm 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68.1.1 Step 1 (key expansion) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68.1.2 Step 2 (modification of the

18、 constants and the IV) . . . . . . . . . . . . . . . . . . . . . . . . . 78.1.3 Step 3 (padding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78.1.4 Step 4 (application of the round-function) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78.1.

19、5 Step 5 (truncation) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78.2 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7ISO/IEC 9797-2:2002(E) iv ISO/IEC 2002 All rights reservedForeword ISO

20、(the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committee

21、s established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.

22、 In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3. The main task of the joint technical committee is to prepare International Stand

23、ards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the element

24、s of this part of ISO/IEC 9797 may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 9797-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. ISO

25、/IEC 9797 consists of the following parts, under the general title Information technology Security techniques Message Authentication Codes (MACs): Part 1: Mechanisms using a block cipher Part 2: Mechanisms using a dedicated hash-function Further parts may follow. Annexes A and B of this part of ISO/

26、IEC 9797 are for information only. ISO/IEC 9797-2:2002(E) ISO/IEC 2002 All rights reserved vIntroductionThe International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) drawattention to the fact that it is claimed that compliance with this part of ISO/IEC

27、9797 may involve the use of a patentconcerning MAC Algorithm 1 (MDx-MAC) given in Clause 6.ISO and IEC take no position concerning the evidence, validity and scope of this patent right.The holder of this patent right has assured the ISO and IEC that he is willing to negotiate licenses under reasonab

28、leand non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statement ofthe holder of this patent right is registered with the ISO and IEC. Information may be obtained fromEntrust Technologies, Technology Licensing Dept., 750 Heron Road, Ottawa, Ontario,

29、Canada K1V 1A7.Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 9797 may be the subject ofpatent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or allsuch patent rights.INTERNATIONALSTANDARD ISO/IEC 97972

30、:2002(E)InformationtechnologySecuritytechniquesMessageAuthenticationCodes(MACs)Part2:Mechanismsusingadedicatedhash-function1 ScopeThis part of ISO/IEC 9797 specifies three MAC algo-rithms that use a secret key and a hash-function (orits round-function) with an n-bit result to calculate anm-bit MAC.

31、These mechanisms can be used as dataintegrity mechanisms to verify that data has not beenaltered in an unauthorised manner. They can also beused as message authentication mechanisms to provideassurance that a message has been originated by an en-tity in possession of the secret key. The strength of

32、thedata integrity mechanism and message authenticationmechanism is dependent on the length (in bits) k andsecrecy of the key, on the length (in bits) n of a hash-code produced by the hash-function, on the strength ofthe hash-function, on the length (in bits) m of the MAC,and on the specific mechanis

33、m.The three mechanisms specified in this part ofISO/IEC 9797 are based on the dedicated hash-functions specified in ISO/IEC 10118-3. The first mech-anism specified in this part of ISO/IEC 9797 is com-monly known as MDx-MAC. It calls the complete hash-function once, but it makes a small modification

34、to theround-function by adding a key to the additive constantsin the round-function. The second mechanism specifiedin this part of ISO/IEC 9797 is commonly known asHMAC. It calls the complete hash-function twice. Thethird mechanism specified in this part of ISO/IEC 9797is a variant of MDx-MAC that t

35、akes as input only shortstrings (at most 256 bits). It offers a higher performancefor applications that work with short input strings only.This part of ISO/IEC 9797 can be applied to the se-curity services of any security architecture, process, orapplication.2 Normative referencesThe following norma

36、tive documents contain provisionswhich, through reference in this text, constitute provi-sions of this part of ISO/IEC 9797. For dated refer-ences, subsequent amendments to, or revisions of, anyof these publications do not apply. However, parties toagreements based on this part of ISO/IEC 9797 are e

37、n-couraged to investigate the possibility of applying themost recent editions of the normative documents indi-catedbelow.Forundatedreferences,thelatesteditionof the normative document referred to applies. MembersofISO andIEC maintainregistersofcurrentlyvalidIn-ternational Standards.ISO646:1991, Info

38、rmation technology ISO 7-bit codedcharacter set for information interchange.ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture.ISO/IEC 10118-1:2000, Information technology Secu-rity techniques Hash-functions Part 1: Genera

39、l.ISO/IEC 10118-3:1998, Information technology Secu-rity techniques Hash-functions Part 3: Dedicatedhash-functions.3 Terms and definitions3.1 For the purposes of this part of ISO/IEC 9797, thefollowing definitions from ISO/IEC 9797-1 apply.3.1.1 MAC algorithm key: a key that controls theoperation of

40、 a MAC algorithm.3.1.2 Message Authentication Code (MAC): thestring of bits which is the output of a MAC algo-rithm.NOTE A MAC is sometimes called a crypto-graphic check value (see for example ISO 7498-2).3.1.3 Message Authentication Code (MAC) al-gorithm: an algorithm for computing a functionwhich

41、maps strings of bits and a secret key to fixed-length strings of bits, satisfying the following twoproperties:c ISO/IEC 2002 All rights reserved 1ISO/IEC 97972:2002(E)- for any key and any input string the functioncan be computed efficiently;- for any fixed key, and given no prior knowledgeof the ke

42、y, it is computationally infeasible tocompute the function value on any new inputstring, even given knowledge of the set of in-put strings and corresponding function values,where the value of the ith input string mayhave been chosen after observing the value ofthe first i1 function values.NOTES1 A M

43、AC algorithm is sometimes called a crypto-graphic check function (see for example ISO 7498-2).2 Computational feasibility depends on the usersspecific security requirements and environment.3.1.4 output transformation: a function that is ap-plied at the end of the MAC algorithm, before thetruncation

44、operation.3.2 This part of ISO/IEC 9797 makes use of thefollowing general security-related terms defined inISO/IEC 10118-1.3.2.1 collision-resistant hash-function:hash-function satisfying the following property:- it is computationally infeasible to find any twodistinct inputs which map to the same o

45、utput.3.2.2 data string (data): string of bits which is theinput to a hash-function.3.2.3 hash-code: string of bits which is the output ofa hash-function.3.2.4 hash-function: function which maps strings ofbits to fixed-length strings of bits, satisfying thefollowing two properties:- for a given outp

46、ut, it is computationally in-feasible to find an input which maps to thisoutput;- for a given input, it is computationally infea-sible to find a second input which maps to thesame output.3.2.5 initializing value: value used in defining thestarting point of a hash-function.3.2.6 padding: appending ex

47、tra bits to a data string.3.3 This part of ISO/IEC 9797 makes use of thefollowing general security-related terms defined inISO/IEC 10118-3.3.3.1 block: bit-string of length L1, i.e., the length ofthe first input to the round-function.3.3.2 round-function: function(.,.) that transformstwo binary stri

48、ngs of lengths L1 and L2 to a binarystring of length L2.NOTE It is used iteratively as part of a hash-function, where it combines a data string of lengthL1 with the previous output of length L2.3.3.3 word: string of 32 bits.4 Symbols and notationThis part of ISO/IEC 9797 makes use of the followingsy

49、mbols and notation defined in ISO/IEC 9797-1:D, Dprime data strings to be input to the MAC algorithm.m the length (in bits) of the MAC.q the number of blocks in the data string D after thepadding and splitting process.j X the string obtained from the string X by takingthe leftmost j bits of X.X Y exclusive-or of bit-strings X and Y.XbardblY concatenation of bit-strings X and Y (in that or-der).:= a symbol denoting the set equal to operation usedin the pro